In Java we are using ganymed-ssh2-build210.jar for connecting to the server via ssh. I need to restrict the weaker algorithm " diffie-hellman-group1-sha1 " specifically.
Is there any customizable settings in ganymed-ssh2-build210.jar that allows to restrict this ?
Is there any java.security setting available for restricting the same ?
If you cannot control the server but the library on the client.
Following might be an option
ch/ethz/ssh2/transport/KexManager.java
to not support anymorediffie-hellman-group1-sha1
ganymed-ssh2-build210_1.jar
and use this one with the client applicationedit Find a step-by-step instruction to verify the above.
Assume following structure
choose a mirror for apache-sshd-1.6.0.tar.gz
ganymed-ssh2-build210.jar
ganymed-ssh2-build210-sources.jar
SshServerDemo.java
SshClientDemo.java
extract the Apache server
compile the demo classes
extract the
KexManager.java
modify the file
KexManager.java
compile the patched
KexManager.java
create a patched library
in command line session ONE
start the server
in command line session TWO
check first the key exchange algos supported by the server
in the output only the
diffie-hellman-group1-sha1
is reportedrun the client with the un-patched library
output
run the client with the patched library
output
on the server log
That proves that the SshClientDemo with the patched library cannot use the key exchange algorithm
diffie-hellman-group1-sha1
to connect to the server (which for the PoC only support this one).